Protected media pipeline

ABSTRACT

A system for processing a media content comprising an application space, a media control mechanism operating in the application space, the media control mechanism controlling the operation of the system, a user interface adapted to provide input to the media control mechanism, a protected space distinct from the application space, and a protected media pipeline operating in the protected space, the protected media pipeline coupled to the media control mechanism, the protected media pipeline adapted to access the media content, process the media content, and output the media content.

CROSS-REFERENCE TO RELATED APPLICATION(S)

This application is a Continuation of and claims benefit from U.S.patent application Ser. No. 11/116,689 that was filed on Apr. 27, 2005,and that is a Non-Provisional of U.S. Provisional Patent Application No.60/673,979 that was filed on Apr. 22, 2005, each of which isincorporated herein by reference in its entirety.

DESCRIPTION OF THE DRAWINGS

The present description will be better understood from the followingdetailed description read in light of the accompanying drawings,wherein:

FIG. 1 is a block diagram showing an example of a typical prior artmedia player or application designed to operate on an exemplary personalcomputer.

FIG. 2 is a block diagram showing an example of a trusted media systemcomprising an application space and a distinct protected space.

FIG. 3 is a block diagram showing exemplary components comprising anend-to-end system for protecting media content and other data frominitial input to final output of a computing environment.

FIG. 4 is a block diagram showing exemplary components comprising aprotected media pipeline operating in a protected space as part of atrusted media system.

FIG. 5 is a block diagram showing an alternate example of a protectedmedia pipeline having a proxied media source as part of a trusted mediasystem.

FIG. 6 is a block diagram showing an example of a further alternativeexample of a trusted media system.

FIG. 7 is a block diagram showing a plurality of protected mediapipelines.

FIG. 8 is a block diagram showing an exemplary computing environment inwhich the software applications, systems and methods described in thisapplication may be implemented.

FIG. 9 is a block diagram showing a conventional media applicationprocessing media content operating in a conventional computingenvironment with an indication of an attack against the system.

FIG. 10 is a block diagram showing a trusted application processingmedia content and utilizing a protected environment or protected spacethat tends to be resistant to attack.

FIG. 11 is a block diagram showing exemplary components of a trustedapplication that may be included in the protected environment.

FIG. 12 is a block diagram showing a system for downloading digitalmedia content from a service provider that utilizes an exemplary trustedapplication utilizing a protected environment.

FIG. 13 is a block diagram showing exemplary attack vectors that may beexploited by a user or mechanism attempting to access media content orother data typically present in a computing environment in anunauthorized manner.

FIG. 14 is a flow diagram showing the process for creating andmaintaining a protected environment that tends to limit unauthorizedaccess to media content and other data.

FIG. 15 is a block diagram showing exemplary kernel components and othercomponents utilized in creating an exemplary secure computingenvironment.

FIG. 16 and FIG. 17 are flow diagrams showing an exemplary process forloading kernel components to create an exemplary secure computingenvironment.

FIG. 18 is a block diagram showing a secure computing environmentloading an application into an exemplary protected environment to form atrusted application that may be resistant to attack.

FIG. 19 is a flow diagram showing an exemplary process for creating aprotected environment and loading an application into the protectedenvironment.

FIG. 20 is a block diagram showing an exemplary trusted applicationutilizing an exemplary protected environment periodically checking thesecurity state of the secure computing environment.

FIG. 21 is a flow diagram showing an exemplary process for periodicallychecking the security state of the secure computing environment.

FIG. 22 is a block diagram showing an exemplary computing environmentincluding a representation of a protected environment, a trusted mediasystem, and other related elements.

Like reference numerals are used to designate like elements in theaccompanying drawings.

DETAILED DESCRIPTION

The detailed description provided below in connection with the appendeddrawings is intended as a description of the present examples and is notintended to represent the only forms in which the present examples maybe constructed or utilized. The description sets forth the functions ofthe examples and the sequence of steps for constructing and operatingthe examples. However, the same or equivalent functions and sequencesmay be accomplished by different examples.

Although the present examples are described and illustrated herein asbeing implemented in a computer system, the system described is providedas an example and not a limitation. As those skilled in the art willappreciate, the present examples are suitable for application in avariety of different types of electronic systems.

Introduction

Digital media content is widely used in the form of CDs, DVDs anddownloadable files. Various devices are able to process this mediacontent including personal computers running various media playerapplications and the like, CD and DVD players, MP3 players and othergeneral-purpose and/or dedicated electronic devices designed to processdigital media content.

Because media content often comes in the form of a for-sale consumerproducts and the like, producers and providers may be anxious to protecttheir media content from unauthorized access, duplication, use, etc.Therefore, media content is often encrypted and/or otherwise secured.Some form of encryption key and/or other access mechanism may beprovided for use with the media so that it can be accessed when and howappropriate. This key or mechanism may be used by a media application orthe like to gain access to the protected media for processing, playing,rendering, etc.

Once the key or other mechanism has been used to decrypt or otherwiseaccess media content within a system the media content may be vulnerablein its unprotected form. It may be possible to attack the system and/ormedia application so as to gain access to the unprotected media content.This may lead to the unauthorized access, use, duplication,distribution, etc. of the media content.

To avoid unauthorized access, a system that rightfully accesses themedia content should be capable of protecting the media content. Thisprotection should extend from the time the key or the like is obtained,used to access the media content, throughout any processing performed onthe content, until the content is appropriately rendered in itsauthorized form. For example, a particular meeting may be recorded andencrypted using an access key with the intent of making the recordingavailable to authorized personnel. Later, the recording is madeavailable to an authorized individual via a media application on a PC.The media application uses the key to decrypt and access the mediacontent, process it and play it for the listener. But if the mediaapplication itself has been compromised, or the application and/orcontent is attacked, the unencrypted media may no longer be protected.

One approach may be to construct a system for accessing, processing andrendering the media content within a protected environment that isdesigned to prevent unauthorized access to the media content. Theexample provided here describes a process and system for protectingmedia content from unauthorized access. Protection may be afforded by aprotected media pipeline, among other mechanisms, which processes some,or all, of a media within a protected environment or protected space. Aprotected media pipeline may be composed of several elements.

A media source that may be part of the protected media pipeline accessesthe media content, passes it through a set of transform functions orprocesses (decoders, effects, etc.) and then to a media sink whichrenders the processed media to a media output(s) (video renderingprocess, audio rendering process, etc). As an example, rendering may beas simple as sending audio signals to a set of headphones or it may besending protected content in a secure manner to yet another process,system or mechanism external to the protected media pipeline.

A protected media pipeline may be constructed as a set or chain of mediaprocessing mechanisms operating in a secure or protected environment. Ina PC, a protected media pipeline can be thought of as a software processthat operates in a secure environment which protects the media contentfrom unauthorized access while the content is being accessed, playedand/or otherwise processed by the media system. When media content isbeing processed by an electronic device, a protected media pipeline canbe thought of as a set of media processing mechanisms operating within asecure environment such that the media being processed is resistant tounauthorized access. The mechanism for providing this resistance may bepurely physical in nature, such as a sealed case or lack of accesspoints to the media content.

There may be two major aspects to constructing a trusted media systemwith a protected media pipeline. First, a trusted media system may bedesigned and constructed in such a way that it acknowledges and adheresto any access rules of the media content by ensuring that no actions aretaken with the content above and beyond those allowed. Variousmechanisms known to those skilled in this technology area may be used toaddress this first point. These mechanisms may include usingencryption/decryption, key exchanges, passwords, licenses, interactionwith a digital rights management system, and the like. Further, this maybe as simple as storing the media content on/in a device such that it isresistant to physical, electronic or other methods of accessing andusing the media content, except as intended.

Second, the trusted media system may be designed and constructed suchthat the media content being processed is secure from malicious attacksand/or unauthorized access and use. Processing the media content via aprotected media pipeline operating in a protected environment orprotected space addresses this second point. So in short, a protectedmedia pipeline operating in a protected space refers to a mediaprocessing environment that resists unauthorized access to the mediacontent being processed.

FIG. 1 is a block diagram showing an example of a typical prior artmedia player or application 100 designed to operate on an exemplarypersonal computer (FIG. 8, 800). Equivalently, media players may operateon other devices with similar processing capabilities such as consumerelectronic devices and the like. Other media applications may include,but are not limited to, media processors, media manipulators, mediaanalyzers, or media formatters. A media application may be a softwareapplication program that provides a way of playing media such as audioand video by a digital processor such as a CPU (FIG. 8, 807) or thelike. A media application may include a user interface or graphic 101that may indicate the media being played and provides various usercontrols. Controls may be accessed through activation with a computerpointing device such as a mouse or by conventional buttons or the like.Such a media application may be thought of as a software applicationprogram operating in an application space 102 that is provided by thePC's computing environment (FIG. 8, 801) or operating system.

Another example of a media player may be a hardware device comprising amemory capable of storing media content and various button, switches,displays and controls and the like to allow a user to control thedevice, select the media to be played, control volume, download mediacontent, etc.

The media player 100 may be comprised of mechanisms 104, 106 and 108.These mechanisms may operate in the application space 102. For asoftware media player, an application space 102 may be a space createdin system memory (FIG. 8, 809) on a PC (FIG. 8, 800) where varioussoftware components or processes can be loaded and executed. For ahardware media player an application space 102 may be a printed circuitboard and an electronic module containing the electronic elements thatperform the processing and functions of the media player 100. The mediaplayer application 100 may include other spaces and mechanisms which mayprovide additional capabilities or features that may or may not bedirectly related to the processing of media. For example, a second mediaplayer playing a music selection may operate in a media application atthe same time as a media player playing a newscast.

The application space 102 may include a user interface process 104coupled to a media control process 106 which in turn is coupled to amedia processing process 108. Typically these processes enable the mediaapplication 100 to couple to a source of media content 110, process themedia content 110 and render it via media output 130. The media content110 may or may not be encrypted or otherwise protected as part of anoverall security and access control scheme.

For example, when activated the media application 100 may access audiocontent 112 and video content 114 typically available on a DVD ROM, anon-line source, or the like. The media content 110 may be played viamedia processing 108 which renders the content as audio output 132and/or video output 134. Audio and video may typically be rendered onthe speakers and/or display of a PC (FIG. 8, 800). This system is onlyone example of common media applications and environments that enableaudio and video and the like to be processed, played and/or provided toother processes or systems. Another example of a media application wouldbe a consumer electronic device such as an electronic juke box or thelike. Yet another example would be a dedicated electronic device, withor without software and/or firmware.

Application space 102 may contain various processes and, in thisexample, includes the user interface process 104, the media controlprocess 106, the media processing process 108, or their equivalents,used to coordinate and control the overall operation of the mediaapplication 100 and its processes. Typically, to prepare the mediacontent 110, the user interface process 104 may provide an interface 101for interaction between the user and the application. The media controlprocess 106 or its equivalents may provide the overall management andcontrol of the internal operations of the media application 100. Themedia processing process 108 may perform the processing of the mediacontent 110 making it possible to render the media content via the mediaoutput 130, or perform whatever other media processing it may have beendesigned to perform.

The processes described above may not be secure against unauthorizedaccess to the media content 110. Processing the media content 110 viasuch a system may expose it to unauthorized access. Such an unprotectedapplication may enable users and/or attackers, with varying degrees ofeffort, to access and make use of the media content 110 in anunauthorized manner. For example, unauthorized access may enable theunauthorized sharing, copying, modifying, and/or distributing of mediacontent 110.

Exemplary Trusted Media System

FIG. 2 is a block diagram showing an example of a trusted media system200 comprising an application space 202 and a distinct protected space230. In this exemplary embodiment of a media player the system comprisesa protected media pipeline 232 operating within a protected space 230 inaddition to user interface 204 and media control 206 mechanismsoperating in the application space 202.

The protected space 230 typically provides a protected environment formedia content 110 processing, the protected space 230 resistingunauthorized access to the media content 110 during processing. Mediacontent 110 is typically protected by various built-in security schemesto deliver it un-tampered—with to a user, such as encryption and thelike. However, once the media content 110 is decrypted or the like forprocessing, additional mechanisms to protect it from unauthorized accessare required. A protected media pipeline 232 operating in a protectedspace 230.

Application space 202 may be contain various mechanisms including, butnot limited to, a user interface mechanism 204 and a media controlmechanism 206, or their equivalents, which are coupled to the protectedmedia pipeline 232 operating within the protected space 230. Typicallythe user interface process 204 may provide an interface 201 or set ofcontrols for interaction between the user and the system. The mediacontrol process 206 may provide the overall management and control ofthe internal operations of the trusted media system 200. The protectedmedia pipeline 232 operating in the protected space 230 may perform theprocessing of the media content 110 and render the content via the mediaoutput 130, or perform whatever other media processing the media system200 is designed to perform.

One or more protected spaces 230 may be provided as an extension of acomputing environment (FIG. 8, 801) and typically possess a heightenedlevel of security and access control. A protected space 230 may alsoinclude mechanisms to ensure that any mechanism operating inside it,such as a protected media pipeline 232, along with any media contentbeing processed within the protected space 230, are used and accessedappropriately. In some embodiments the access and use privileges may beindicated by a media content license and/or a digital rights managementsystem. Alternatively, mechanisms such as password protection,encryption and the like may provide access control.

FIG. 3 is a block diagram showing exemplary components comprising anend-to-end system for protecting media content 110 and other data frominitial input 302 to final output 308 of a computing environment 800.Such a system tends to protect media 110 or other data from the point ofentry into a computing environment 800 to its final output 130 inaddition to providing protection during processing within a protectedmedia pipeline 232 and/or other processing components. Such end-to-endprotection may be provided via three major components-protected input302, a protected space 230 for processing and protected output 308.

Protected input 302 may be implement in hardware and/or software and maylimit unauthorized access to media content 110 and/or other data as itis initially received onto the system 800 from some source such as astorage device, network connection, physical memory device and the like.The protected input 302 may be coupled to a protected media pipeline 232via a secure connection 304. The secure connection 304 allows transferof the media content 110 between the protected input 302 and theprotected media pipeline 232 and/or other processing components and maybe implemented using mechanisms such that it is tamper resistant.

Protected output 306 may be implemented in hardware and/or software andmay limit unauthorized access to media content 110 as it is transferredfrom a protected media pipeline 232 or other processing to the output ofthe computing environment 800 which may be speakers, video displays,storage media, network connections and the like. The protected output308 may be coupled to a protected media pipeline 232 via a secureconnection 306. The secure connection 306 allows transfer of the mediacontent 110, which may be in a processed form, between the protectedmedia pipeline 232 and the protected output 308 and may be implementedusing mechanisms such that it is tamper resistant.

Tamper resistance as used here includes limiting unauthorized access,resisting attack and otherwise protecting media content and/or otherdata from being compromised.

A protected space may also be referred to as a protected environment.Protected spaces or environments and their creation and maintenance aredescribed beginning with the description of FIG. 9 below.

Protected Media Pipeline

FIG. 4 is a block diagram showing exemplary components comprising aprotected media pipeline 232 operating in a protected space 230 as partof a trusted media system 200. The components 400, 421, 422, 425, and480 form a protected media pipeline 232 operating in a protected space230. Of these components, the transforms mechanisms 420 process themedia content to prepare it for output. The protected space 230 may alsocontain other protected elements 410 of the trusted media system 200.

The protected media pipeline 232 typically performs the function ofaccessing and processing protected media content 110 and producing aprotected output in the format determined by the trusted media system200. Unprotected media content may also be processed in a protectedmedia pipeline 232. Further, unprotected media pipelines may beconstructed and operate in the application space 202 or other spaces.However, an unprotected media pipeline operating in the applicationspace 202 would not benefit from a protected environment 230 whichlimits unauthorized access to the media content. For processing sometypes of media content, such as unprotected or unencrypted mediacontent, an unprotected pipeline may be acceptable. In some embodimentsthere may be a plurality of media content having different securitylevels (some protected and some unprotected), processed through one ormore pipelines each adapted to provide the desired level of protection.

In the protected media pipeline 232 a media source 400 may be coupled toa series of transform functions or mechanisms 420. A first transformfunction F(a)1 421 may be coupled to a second transform function F(b)2422 which in turn may be coupled to any number of additional transformfunctions represented by F(z)n 425. The output of the set of transformfunctions 420 may be coupled to a media sink 480. There are typicallyone or more transform functions in a protected media pipeline 232, thespecific function of each transform depending on the media content 110and the processing that the trusted media system 200 is designed toperform.

The example shown illustrates transform mechanisms that may be connectedin series forming a transform chain. In alternative embodiments of aprotected media pipeline 232, two or more of the transform mechanismsmay be coupled in parallel and/or two or more media pipelines may becoupled at some point in each pipeline's transform chain forming asingle pipeline from that point forward. Further, each transform mayhave a single input or a plurality of inputs and they may have a singleoutput or a plurality of outputs.

The media source 400 may access media content 110 via hardware and/orappropriate driver software or the like. For example, using a PC forprocessing music stored on a CD, the media source 400 couples to CD ROMdriver software which controls the CD ROM drive hardware (FIG. 8, 804)to read audio data from a CD ROM disk (FIG. 8, 806). The media source400 is a mechanism used in the construction of a media pipeline toaccess and receive the media content 110 and make it available to theremaining mechanisms of the media pipeline. Alternatively, a mediasource 400 may couple with a semiconductor memory in a consumerelectronic device to access music stored on the device. Equivalent mediasources may provide access to one or more types of media content,including video, digital recordings, and the like.

The media transforms 420, represented by F(a)1, F(b)2 and F(z)n, (421,422 and 425 respectively) perform specific operations on the mediacontent provided by the media source 400 and may each perform differentoperations. There are typically at least one media transform in a mediapipeline. The media transforms 421, 422 and 425 prepare and/or processthe media content 110 for rendering via the media output 130 and/or forfurther processing. The specific transformations performed may includeoperations such as encryption and/or decryption of media content, imageenhancement of video content, silence detection in audio content,decompression, compression, volume normalization, and the like.Transforms may process media content 110 automatically or be controlledby a user via virtual or physical handles provided through a userinterface 204. The specific transforms provided in a pipeline depend onthe media content 110 to be processed and the function the trusted mediasystem 200 has constructed the pipeline to perform. In a simple mediasystem or application the processing may be as minimal as decoding anaudio media and controlling the volume of the media accessed from asemiconductor memory and played on a headset. In a more complex mediasystem or application a wide variety of processing and mediamanipulation are possible.

In a trusted media system 200 designed to process encrypted mediacontent one of the transform mechanisms, typically the first transformF(a)1 421, may be a codec which decodes the media content such that itmay be further processed. In alternative examples, decryption and/ordecompression operations may be performed by distinct mechanisms and oneor both operations may be eliminated depending on the format of mediacontent being processed.

When operating on a PC, the media sink 480 may couple the processed ortransformed media content 110 to the media output 130 via the media I/Ohardware (FIG. 8, 812) controlled by appropriate driver programs. Forexample, in the case of audio data, the media sink 480 may couple to anavailable sound driver program which couples audio data that has beentransformed to audio output hardware such as an amplifier and/orspeakers (FIG. 2, 132). When operating on a consumer electronic device,the media sink 480 may be coupled, for example, to an audio amplifierwhich in turn couples to speakers or a headset through a connector onthe device's case.

By constructing a pipeline that performs the sourcing, transform andsinking functions within a protected space 230, unauthorized access tothe media content 110 may be restricted in a manner that conforms to thewishes of the media content provider/owner. Thus, this approach tends toprovide a secure processing environment such that a media contentprovider may trust that their media content 110 will not be compromisedwhile being processed.

The output of the protected media pipeline 232 may be coupled to theinput of a media output 130. Alternatively the output of a protectedmedia pipeline 232 may couple to the input of another protected mediapipeline or some other process. This coupling may be implemented suchthat it is tamper resistant and restricts unauthorized access to anydata or media content flowing from one pipeline to another or to someother process. The remainder of the elements illustrated in FIG. 4operate as previously described for FIG. 2.

FIG. 5 is a block diagram showing an alternate example of a protectedmedia pipeline 552 having a proxied media source 510 as part of atrusted media system 500. The proxied media source 510 includes a mediasource portion 518 and a stub portion 520 that may operate in anunprotected application space 502, and a proxy portion 540 that mayoperate in a protected space 550. The proxied media source 510 may allowmedia content 110 to be transferred from the application space 502 viathe media source 518 and the stub 520 to the protected space 550 via theproxy 540 by using remote procedure calls or the like.

When used in a PC environment (FIG. 8, 800), the proxied media source510 architecture described here may simplify the creation of the mediasource modules by third-party software makers or content providers. Sucha simplification may be provided by splitting the proxied media source510 such that media application writers may only need to implement themedia source portion 518. The stub portion 520 and proxy portion 540 maybe provided as an element of the protected environment 550.

Further, the use of a proxied media source 510 may support mixingprotected and unprotected media content 110 by allowing protected mediacontent to be directed from a media source 518 to a first stub operatingas part of a protected media pipeline while the unprotected mediacontent may be directed from the media source 518 to processing modulesoperating within the unprotected application space 502 or otherunprotected space via a second stub portion also operating within theunprotected application space 502 or some other unprotected space.

Similar to the proxied media source 510, the media sink 480 may also beproxied and split into stub and proxy portions. The stub portion mayoperate in the protected space 650 and may encrypt data prior toforwarding it to the proxy portion operating in an application space 202or some other space. The remainder of the elements in FIG. 5 operate aspreviously described for FIG. 4.

FIG. 6 is a block diagram showing an example of a further alternativeexample of a trusted media system 600. In this embodiment the trustedmedia system 600 includes a protected media source 610 constructed toinclude a media source portion 618 and a stub portion 620 which operatein a protected media space 609, and a proxy portion 640 which operatesin a protected space 650. The two protected regions 609 and 650 arecoupled by the protected media source 610 with data being passed fromthe media source portion 618 via the stub portion 620 operating in theprotected media space 609 to the proxy portion 640 operating in theprotected space 650. The protected media source 610 may allow mediacontent 110 to be transferred from the protected media space 609 to theprotected pipeline space 650 using remote procedure calls or the like.The protected media source 610 architecture described here may simplifythe creation of the media source by third-parties or content providersand result in more stable and secure protected media applications 600.The remaining elements of FIG. 6 operate as previously described forFIG. 4 and FIG. 5.

FIG. 7 is a block diagram showing a plurality of protected mediapipelines 751-759. The protected media pipelines 751, 752, 759 operatein a protected space 700. Alternatively each protected media pipelinemay operate in its own protected space or various numbers of pipelinesmay be grouped into one or more protected spaces in any combination. Atrusted media system may provide several such protected media pipelines.

An example of such a system may be a trusted media system playing a DVDwith its audio content in Dolby digital 5.1 format. In this examplethere may be six different audio pipelines, one for each of the audiochannels, in addition to a video pipeline for the video portion of theDVD. All of the protected media pipelines may operate in the sameprotected space as shown or, alternatively, the protected mediapipelines may be grouped in groups of one or more with each groupoperating in its own distinct protected space.

In alternative embodiments of a protected media pipeline 232, two ormore of the sources, transform mechanisms and/or sinks may be coupled inparallel and/or two or more media pipelines may be coupled at some pointin each pipeline forming a single pipeline from that point forward.Alternatively a single pipeline may split into two pipelines. Further,sources, transforms and/or sinks may have a single input or a pluralityof inputs and/or they may have a single output or a plurality ofoutputs. The remaining elements of FIG. 7 operate as previouslydescribed for FIG. 4.

FIG. 8 is a block diagram showing an exemplary computing environment 800in which the software applications, systems and methods described inthis application may be implemented. Exemplary personal computer 800 isonly one example of a computing system or device that may process mediacontent (FIG. 4, 110) and is not intended to limit the examplesdescribed in this application to this particular computing environmentor device type.

The computing environment can be implemented with numerous other generalpurpose or special purpose computing system configurations. Examples ofwell known computing systems may include, but are not limited to,personal computers 800, hand-held or laptop devices,microprocessor-based systems, multiprocessor systems, set top boxes,programmable consumer electronics, gaming consoles, consumer electronicdevices, cellular telephones, PDAs, and the like.

The PC 800 includes a general-purpose computing system in the form of acomputing device 801. The components of computing device 801 may includeone or more processors (including CPUs, GPUs, microprocessors and thelike) 807, a system memory 809, and a system bus 808 that couples thevarious system components. Processor 807 processes various computerexecutable instructions to control the operation of computing device 801and to communicate with other electronic and computing devices (notshown) via various communications connections such as a networkconnection 814 an the like. The system bus 808 represents any number ofseveral types of bus structures, including a memory bus or memorycontroller, a peripheral bus, an accelerated graphics port, and aprocessor or local bus using any of a variety of bus architectures.

The system memory 809 includes computer readable media in the form ofvolatile memory, such as random access memory (RAM), and/or non-volatilememory, such as read only memory (ROM). A basic input/output system(BIOS) may be stored in ROM. RAM typically contains data and/or programmodules that are immediately accessible to and/or presently operated onby one or more of the processors 807. A trusted media system 200 may becontained in system memory 809.

Mass storage devices 804 and 810 may be coupled to the computing device801 or incorporated into the computing device by coupling to the systembus. Such mass storage devices 804 and 810 may include a magnetic diskdrive which reads from and/or writes to a removable, non volatilemagnetic disk (e.g., a “floppy disk”) 805, or an optical disk drive thatreads from and/or writes to a removable, non-volatile optical disk suchas a CD ROM, DVD ROM or the like 806. Computer readable media 805 and806 typically embody computer readable instructions, data structures,program modules and the like supplied on floppy disks, CDs, DVDs,portable memory sticks and the like.

Any number of program modules may be stored on the hard disk 810, othermass storage devices 804, and system memory 809 (limited by availablespace), including by way of example, an operating system(s), one or moreapplication programs, other program modules, and program data. Each ofsuch operating system, application program, other program modules andprogram data (or some combination thereof) may include an embodiment ofthe systems and methods described herein. For example, a trusted mediasystem 200 may be stored on mass storage devices 804 and 810 and/or insystem memory 809.

A display device 134 may be coupled to the system bus 808 via aninterface, such as a video adapter 811. A user can interface withcomputing device 800 via any number of different input devices 803 suchas a keyboard, pointing device, joystick, game pad, serial port, and/orthe like. These and other input devices may be coupled to the processors807 via input/output interfaces 812 that may be coupled to the systembus 808, and may be coupled by other interface and bus structures, suchas a parallel port, game port, and/or a universal serial bus (USB).

Computing device 800 may operate in a networked environment usingcommunications connections to one or more remote computers and/ordevices through one or more local area networks (LANs), wide areanetworks (WANs), the Internet, optical links and/or the like. Thecomputing device 800 may be coupled to one or more networks via networkadapter 813 or alternatively by a modem, DSL, ISDN interface and/or thelike.

Communications connection 814 is an example of communications media.Communications media typically embody computer readable instructions,data structures, program modules or other data in a modulated datasignal such as a carrier wave or other transport mechanism and includesany information delivery media. The term “modulated data signal” means asignal that has one or more of its characteristics set or changed insuch a manner as to encode information in the signal. By way of example,and not limitation, communications media include wired media such as awired network or direct-wired connection, and wireless media such asacoustic, radio frequency, infrared, and other wireless media.

Those skilled in the art will realize that storage devices utilized tostore computer-readable program instructions can be distributed across anetwork. For example a remote computer or device may store an example ofthe system described as software. A local or terminal computer or devicemay access the remote computer or device and download a part or all ofthe software to run the program. Alternatively the local computer maydownload pieces of the software as needed, or distributively process thesoftware by executing some of the software instructions at the localterminal and some at remote computers or devices.

Those skilled in the art will also realize that by utilizingconventional techniques known to those skilled in the art that all, or aportion, of the software instructions may be carried out by a dedicatedelectronic circuit such as a digital signal processor (“DSP”),programmable logic array (“PLA”), or the like. The term electronicapparatus as used herein includes computing devices, consumer electronicdevices including any software and/or firmware and the like, andelectronic devices or circuits containing no software and/or firmwareand the like.

The term computer readable medium may include system memory, hard disks,mass storage devices and their associated media, communications media,and the like.

Protected Environment

FIG. 9 is a block diagram showing a conventional media application 100processing media content 110 operating in a conventional computingenvironment 900 with an indication of an attack 907 against the system901. A conventional computing environment 900 may be provided by apersonal computer (“PC”) or consumer electronics (“CE”) device 901 thatmay include operating system (“OS”) 902. Typical operating systems oftenpartition their operation into a user mode 903, and a kernel mode 904.User mode 903 and kernel mode 904 may be used by one or more applicationprograms 100. An application program 100 may be used to process mediacontent 110 that may be transferred to the device 901 via somemechanism, such as a CD ROM drive, Internet connection or the like. Anexample of content 110 would be media files that may be used toreproduce audio and video information.

The computing environment 900 may typically include an operating system(“OS”) 902 that facilitates operation of the application 100, inconjunction with the one or more central processing units (“CPU”). Manyoperating systems 902 may allow multiple users to have access to theoperation of the CPU. Multiple users may have ranges of accessprivileges typically ranging from those of a typical user to those of anadministrator. Administrators typically have a range of accessprivileges to applications 100 running on the system, the user mode 903and the kernel 904. Such a computing environment 900 may be susceptibleto various types of attacks 907. Attacks may include not only outsidersseeking to gain access to the device 901 and the content 110 on it, butalso attackers having administrative rights to the device 901 or othertypes of users having whatever access rights granted them.

FIG. 10 is a block diagram showing a trusted application 200 processingmedia content 110 and utilizing a protected environment or protectedspace 230 that tends to be resistant to attack 1005. The term “trustedapplication”, as used here, may be defined as an application thatutilizes processes operating in a protected environment such that theytend to be resistant to attack 1005 and limit unauthorized access to anymedia content 110 or other data being processed. Thus, components orelements of an application operating in a protected environment aretypically considered “trusted” as they tend to limit unauthorized accessand tend to be resistant to attack. Such an application 200 may beconsidered a trusted application itself or it may utilize anothertrusted application to protect a portion of its processes and/or data.

For example, a trusted media player 200 may be designed to play mediacontent 110 that is typically licensed only for use such that the mediacontent 110 cannot be accessed in an unauthorized manner. Such a trustedapplication 200 may not operate and/or process the media content 110unless the computing environment 1000 can provide the required level ofsecurity, such as by providing a protected environment 230 resistant toattack 1005.

As used herein, the term “process” may be defined as an instance of aprogram (including executable code, machine instructions, variables,data, state information, etc.), residing and/or operating in a kernelspace, user space and/or any other space of an operating system and/orcomputing environment.

A digital rights management system 1004 or the like may be utilized withthe protected environment 230. The use of a digital rights managementsystem 1004 is merely provided as an example and may not be utilizedwith a protected environment or a secure computing environment.Typically a digital rights management system utilizes tamper-resistantsoftware (“TRS”) which tends to be expensive to produce and maynegatively impact computing performance. Utilizing a trusted application200 may minimize the amount of TRS functionality required to provideenhanced protection.

Various mechanisms known to those skilled in this technology area may beutilized in place of, in addition to, or in conjunction with a typicaldigital rights management system. These mechanisms may include, but arenot limited to, encryption/decryption, key exchanges, passwords,licenses, and the like. Thus, digital right management as used hereinmay be a mechanism as simple as decrypting an encrypted media, utilizinga password to access data, or other tamper-resistant mechanisms. Themechanisms to perform these tasks may be very simple and entirelycontained within the trusted application 200 or may be accessed viainterfaces that communicate with complex systems otherwise distinct fromthe trusted application 200.

FIG. 11 is a block diagram showing exemplary components of a trustedapplication 200 that may be included in the protected environment 230. Atrusted application 200 will typically utilize a protected environment230 for at least a portion of its subcomponents 232, 400, 480. Othercomponents 1101 of the trusted application may not utilize a protectedenvironment. Components 232, 400 and 480 involved in the processing ofmedia content or data that may call for an enhanced level of protectionfrom attack or unauthorized access may operate within a protectedenvironment 230. A protected environment 230 may be utilized by a singletrusted application 200 or, possibly, by a plurality of trustedapplications. Alternatively, a trusted application 200 may utilize aplurality of protected environments. A trusted application 200 may alsocouple to and/or utilize a digital rights management system 1004.

In the example shown, source 400 and sink 480 are shown as part of amedia pipeline 232 operating in the protected environment 230. Aprotected environment 230 tends to ensure that, once protected and/orencrypted content 1109 has been received and decrypted, the trustedapplication 200 and its components prevent unauthorized access to thecontent 1109.

Digital rights management 1004 may provide a further avenue ofprotection for the trusted application 200 and the content 1109 itprocesses. Through a system of licenses 1108, device certificates 1111,and other security mechanisms a content provider is typically able tohave confidence that encrypted content 1109 has been delivered to theproperly authorized device and that the content 1109 is used asintended.

FIG. 12 is a block diagram showing a system for downloading digitalmedia content 1210 from a service provider 1207 to an exemplary trustedapplication 200 utilizing a protected environment 230. In the exampleshown the trusted application 200 is shown being employed in two places1201, 1203. The trusted application 200 may be used in a CE device 1201or a PC 1203. Digital media 1210 may be downloaded via a serviceprovider 1207 and the Internet 1205 for use by the trusted application200. Alternatively, digital media may be made available to the trustedapplication via other mechanisms such as a network, a CD or DVD disk, orother storage media. Further, the digital media 1210 may be provided inan encrypted form 1109 requiring a system of decryption keys, licenses,certificates and/or the like which may take the form of a digital rightsmanagement system 1004. The data or media content 1210 provided to thetrusted application may or may not be protected, i.e., encrypted or thelike.

In one example, a trusted application 200 may utilize a digital rightsmanagement (“DRM”) system 1004 or the like along with a protectedenvironment 230. In this case, the trusted application 200 is typicallydesigned to acknowledge, and adhere to, the content's usage policies bylimiting usage of the content to that authorized by the content providervia the policies. Implementing this may involve executing code whichtypically interrogates content licenses and subsequently makes decisionsabout whether or not a requested action can be taken on a piece ofcontent. This functionality may be provided, at least in part, by adigital rights management system 1004. An example of a Digital RightsManagement system is provided in U.S. patent application Ser. No.09/290,363, filed Apr. 12, 1999, U.S. patent application Ser. Nos.10/185,527, 10/185,278, and 10/185,511, each of which filed on Jun. 28,2002, and incorporated herein by reference in its entirety.

Building a trusted application 200 that may be utilized in the CE device1201 or the PC 1203 may include making sure the trusted application 200which decrypts and processes the content 1109 may be “secure” frommalicious attacks. Thus, a protected environment 230 typically refers toan environment that may not be easy to attack.

As shown, the trusted applications 200 operate in a consumer electronicsdevice 1201, which can be periodically synced to a PC 1203 that alsoprovides a trusted application. The PC 1203 is in turn coupled 1204 tothe internet 1205. The internet connection allows digital media 1210 tobe provided by a service provider 1207. The service provider 1207 maytransmit licenses and encrypted media 1206 over the internet 1205 totrusted application 200. Once encrypted media is delivered and decryptedit may be susceptible to various forms of attack.

A protected computing environment tends to provide an environment thatlimit hackers from gaining access to unauthorized content. A hacker mayinclude hackers acting as a systems administrator. A systemsadministrator typically has full control of virtually all of theprocesses being executed on a computer, but this access may not bedesirable. For example, if a system user has been granted a license touse a media file it should not be acceptable for a system administratordifferent from the user to be able to access the media file. A protectedenvironment tends to contribute to the creation of a process in whichcode that decrypts and processes content can operate without givinghackers access to the decrypted content. A protected environment mayalso limit unauthorized access to users of privilege, such asadministrators, and/or any other user, who may otherwise gainunauthorized access to protected content. Protection may includesecuring typical user mode (FIG. 9, 903) processes and kernel mode (FIG.9, 904) processes and any data they may be processing.

Processes operating in the kernel may be susceptible to attack. Forexample, in the kernel of a typical operating system objects arecreated, including processes, which may allow unlimited access by anadministrator. Thus, an administrator, typically with full accessprivileges, may access virtually all processes.

Protected content may include policy or similar information indicatingthe authorized use of the content. Such policy may be enforced via a DRMsystem or other mechanism. Typically, access to the protected content isgranted through the DRM system or other security mechanism, which mayenforce policy. However, a system administrator, with full access to thesystem, may alter the state of the DRM system or mechanism to disregardthe content policy.

A protected environment tends to provide a protected space thatrestricts unauthorized access to media content being processed therein,even for high-privilege users such as an administrator. When a protectedenvironment is used in conjunction with a system of digital rightsmanagement or the like, a trusted application may be created in which acontent provider may feel that adequate security is provided to protectdigital media from unauthorized access and may also protect thecontent's policy from be tampered with along with any other data, keysor protection mechanisms that may be associated with the media content.

Current operating system (“OS”) architectures typically present numerouspossible attack vectors that could compromise a media application andany digital media content being processed. For purposes of this example,attacks that may occur in an OS are grouped into two types of attacks,which are kernel mode attacks and user mode attacks.

The first type of attack is the kernel mode attack. Kernel mode istypically considered to be the trusted base of the operating system. Thecore of the operating system, most system and peripheral drivers operatein kernel mode. Typically any piece of code running in the kernel issusceptible to intrusion by any other piece of code running in thekernel, which tends not to be the case for user mode. Also, code runningin kernel mode typically has access to substantially all user modeprocesses. A CPU may also provide privilege levels for various codetypes. Kernel mode code is typically assigned the highest level ofprivilege by such a CPU, typically giving it full access to the system.

The second type of attack is the user mode attack. Code that runs inuser mode may or may not be considered trusted code by the systemdepending on the level of privilege it has been assigned. This level ofprivilege may be determined by the user context or account in which itis operating. User mode code running in the context of an administratoraccount may have full access to the other code running on the system. Inaddition, code that runs in user mode may be partitioned to prevent oneuser from accessing another's processes.

These attacks may be further broken down into specific attack vectors.The protected environment is typically designed to protect againstunauthorized access that may otherwise be obtained via one or more ofthese attack vectors. The protected environment may protect againstattack vectors that may include: process creation, malicious user modeapplications, loading malicious code into a process, malicious kernelcode, invalid trust authorities, and external attack vectors.

Process creation is a possible attack vector. An operating systemtypically includes a “create process” mechanism that allows a parentprocess to create a child process being created. A malicious parentprocess may, by modifying the create process code or by altering thedata it creates, make unauthorized modifications to the child process.This could result in compromising digital media that may be processed bya child process created by a malicious parent process.

Malicious user mode applications are a possible attack vector. Anoperating system typically includes administrator level privileges.Processes running with administrator privileges may have unlimitedaccess to many operating system mechanisms and to nearly all processesrunning on the computer. Thus, in Windows for example, a malicious usermode application running with administrator privileges may gain accessto many other processes running on the computer and may thus compromisedigital media. Similarly, processes operating in the context of any usermay be attacked by any malicious process operating in the same context.

Loading malicious code into a secure process is a possible attackvector. It may be possible to append or add malicious code to a process.Such a compromised process cannot be trusted and may obtain unauthorizedaccess to any media content or other data being processed by themodified process.

Malicious kernel mode code is a possible attack vector. An operatingsystem typically includes a “system level” of privilege. In Windows, forexample, all code running in kernel mode is typically running as systemand therefore may have maximum privileges. The usual result is that alldrivers running in kernel mode have maximum opportunity to attack anyuser mode application, for example. Such an attack by malicious kernelmode code may compromise digital media.

Invalid trust authorities (TAs) are a possible attack vector. TAs mayparticipate in the validation of media licenses and may subsequently“unlock” the content of a digital media. TAs may be specific to a mediatype or format and may be implemented by media providers or theirpartners. As such, TAs may be pluggable and/or may be provided asdynamic link libraries (“DLL”). A DLL or the like may be loaded byexecutable code, including malicious code. In order for a TA to ensurethat the media is properly utilized it needs to be able to ensure thatthe process in which it is running is secure. Otherwise the digitalmedia may be compromised.

External attacks are another possible attack vector. There are a set ofattacks that don't require malicious code running in a system in orderto attack it. For instance, attaching a debugger to a process or akernel debugger to the machine, looking for sensitive data in a binaryfile on a disk, etc., are all possible mechanisms for finding andcompromising digital media or the processes that can access digitalmedia.

FIG. 13 is a block diagram showing exemplary attack vectors 1307-1310that may be exploited by a user or mechanism attempting to access mediacontent or other data 1300 typically present in a computing environment900 in an unauthorized manner. A protected environment may protectagainst these attack vectors such that unauthorized access to trustedapplications and the data they process is limited and resistance toattack is provided. Such attacks may be made by users of the system ormechanisms that may include executable code. The media application 100is shown at the center of the diagram and the attack vectors 1307-1310tend to focus on accessing sensitive data 1300 being stored and/orprocessed by the application 100.

A possible attack vector 1309 may be initiated via a malicious user modeapplication 1302. In the exemplary operating system architecture boththe parent of a process, and any process with administrative privileges,typically have unlimited access to other processes, such as oneprocessing media content, and the data they process. Such access tomedia content may be unauthorized. Thus a protected environment mayensure that a trusted application and the media content it processes areresistant to attacks by other user mode applications and/or processes.

A possible attack vector 1308 is the loading of malicious code 1303 intoa process 1301. Having a secure process that is resistant to attacksfrom the outside is typically only as secure as the code running on theinside forming the process. Given that DLLs and other code are typicallyloaded into processes for execution, a mechanism that may ensure thatthe code being loaded is trusted to run inside a process before loadingit into the process may be provided in a protected environment.

A possible vector of attack 1310 is through malicious kernel mode code1304. Code running in kernel mode 904 typically has maximum privileges.The result may be that drivers running in kernel mode may have a numberof opportunities to attack other applications. For instance, a drivermay be able to access memory directly in another process. The result ofthis is that a driver could, once running, get access to a processesmemory which may contain decrypted “encrypted media content” (FIG. 11,1109). Kernel Mode attacks may be prevented by ensuring that the coderunning in the kernel is non-malicious code, as provided by thisexample.

A possible attack vector 1307 is by external attacks 1306 to the system900. This group represents the set of attacks that typically do notrequire malicious code to be running on the system 900. For instance,attaching a debugger to an application and/or a process on the system,searching a machine 900 for sensitive data, etc. A protected environmentmay be created to resist these types of attacks.

FIG. 14 is a flow diagram showing the process 1400 for creating andmaintaining a protected environment that tends to limit unauthorizedaccess to media content and other data. The sequence 1400 begins when acomputer system is started 1402 and the kernel of the operating systemis loaded and a kernel secure flag is set 1404 to an initial value. Theprocess continues through the time that a protected environment istypically created and an application is typically loaded into it 1406.The process includes periodic checking 1408 via the protectedenvironment that seeks to ensure the system remains secure through thetime the secure process is needed.

The term “kernel”, as used here, is defined as the central module of anoperating system for a computing environment, system or device. Thekernel module may be implemented in the form of computer-executableinstructions and/or electronic logic circuits. Typically, the kernel isresponsible for memory management, process and task management, andstorage media management of a computing environment. The term “kernelcomponent”, as used here, is defined to be a basic controllingmechanism, module, computer-executable instructions and/or electroniclogic circuit that forms a portion of the kernel. For example, a kernelcomponent may be a “loader”, which may be responsible for loading otherkernel components in order to establish a fully operational kernel.

To summarize the process of creating and maintaining a protectedenvironment:

1. Block 1402 represents the start-up of a computer system. Thistypically begins what is commonly known as the boot process and includesloading an operating system from disk or some other storage media.

2. Typically one of the first operations during the boot process is theloading of the kernel and its components. This example provides thevalidation of kernel components and, if all are successfully validatedas secure, the setting of a flag indicating the kernel is secure. Thisis shown in block 1404.

3. After the computer system is considered fully operational a user maystart an application such as a trusted media player which may call for aprotected environment. This example provides a secure kernel with anapplication operating in a protected environment, as shown in block1406.

4. Once the protected environment has been created and one or more ofthe processes of the application have been loaded into it and areoperating, the trusted environment may periodically check the kernelsecure flag to ensure the kernel remains secure, as shown in block 1408.That is, from the point in time that the trusted application beginsoperation, a check may be made periodically to determine whether anyunauthorized kernel components have been loaded. Such unauthorizedkernel components could attack the trusted application or the data itmay be processing. Therefore, if any such components are loaded, thekernel secure flag may be set appropriately.

FIG. 15 is a block diagram showing exemplary kernel components 1520-1530and other components 1510-1514 utilized in creating an exemplary securecomputing environment 1000. This figure shows a computer systemcontaining several components 1510-1530 typically stored on a disk orthe like, several of which are used to form the kernel of an operatingsystem when a computer is started. Arrow 1404 indicates the process ofloading the kernel components into memory forming the operational kernelof the system. The loaded kernel 1550 is shown containing its variouscomponents 1551-1562 and a kernel secure flag 1590 indicating whether ornot the kernel is considered secure for a protected environment. Thekernel secure flag 1590 being described as a “flag” is not meant to belimiting; it may be implemented as a boolean variable or as a morecomplex data structure or mechanism.

Kernel components 1520-1530 are typically “signed” and may includecertificate data 1538 that may enable the kernel to validate that theyare the components they claim to be, that they have not been modifiedand/or are not malicious. A signature block and/or certificate data 1538may be present in each kernel component 1520-1530 and/or each loadedkernel component 1560, 1562. The signature and/or certificate data 1538may be unique to each component. The signature and/or certificate data1538 may be used in the creation and maintenance of protectedenvironments as indicated below. Typically a component is “signed” byits provider in such as way as to securely identify the source of thecomponent and/or indicate whether it may have been tampered with. Asignature may be implemented as a hash of the component's header or byusing other techniques. A conventional certificate or certificate chainmay also be included with a component that may be used to determine ifthe component can be trusted. The signature and/or certificate data 1538are typically added to a component before it is distributed for publicuse. Those skilled in the art will be familiar with these technologiesand their use.

When a typical computer system is started or “booted” the operatingsystem's loading process or “kernel loader” 1551 will typically load thecomponents of the kernel from disk or the like into a portion of systemmemory to form the kernel of the operating system. Once all of thekernel components are loaded and operational the computer and operatingsystem are considered “booted” and ready for normal operation.

Kernel component #1 1520 thru kernel component #n 1530, in the computingenvironment, may be stored on a disk or other storage media, along witha revocation list 1514, a kernel dump flag 1512 and a debugger 1510along with a debug credential 1511. Arrow 1404 indicates the kernelloading process which reads the various components 1514-1530 from theirstorage location and loads them into system memory forming a functionaloperating system kernel 1550. The kernel dump flag 1512 being describedas a “flag” is not meant to be limiting; it may be implemented as aboolean variable or as a more complex data structure or mechanism.

The kernel loader 1551 along with the PE management portion of thekernel 1552, the revocation list 1554 and two of the kernel components1520 and 1522 are shown loaded into the kernel, the latter as blocks1560 and 1562, along with an indication of space for additional kernelcomponents yet to be loaded into the kernel, 1564 and 1570. Finally, thekernel 1550 includes a kernel secure flag 1590 which may be used toindicate whether or not the kernel 1550 is currently considered secureor not. This illustration is provided as an example and is not intendedto be limiting or complete. The kernel loader 1551, the PE managementportion of the kernel 1552 and/or the other components of the kernel areshown as distinct kernel components for clarity of explanation but, inactual practice, may or may not be distinguishable from other portionsof the kernel.

Included in the computing environment 1000 may be a revocation list 1514that may be used in conjunction with the signature and certificate data1538 associated with the kernel components 1560 and 1562. This object1514 may retain a list of signatures, certificates and/or certificatechains that are no longer considered valid as of the creation date ofthe list 1514. The revocation list 1514 is shown loaded into the kernelas object 1554. Such lists are maintained because a validly-signed andcertified component, for example components 1560 and 1562, may later bediscovered to have some problem. The system may use such a list 1554 tocheck kernel components 1520-1530 as they are loaded, which may beproperly signed and/or have trusted certificate data 1538, but that mayhave subsequently been deemed untrustworthy. Such a revocation list 1554will typically include version information 1555 so that it can moreeasily be identified, managed and updated as required.

Another component of the system that may impact kernel security is adebugger 1510. Debuggers may not typically be considered a part of thekernel but may be present in a computing environment 1000. Debuggers,including those known as kernel debuggers, system analyzers, and thelike, may have broad access to the system and the processes running onthe system along with any data present. A debugger 1510 may be ableaccess any data in a computing environment 1000, including media contentthat should not be accessed in a manner other than that authorized. Onthe other hand, debugging is typically a part of developing newfunctionality and it should be possible to debug within protectedenvironments the code intended to process protected media content. Adebugger 1510 may thus include debug credentials 1511 which may indicatethat the presence of the debugger 1510 on a system is authorized. Thusdetection of the presence of a debugger 1510 along with any accompanyingcredentials 1511 may be a part of the creation and maintenance ofprotected environments (FIG. 14, 1400).

The computing environment 1000 may include a kernel dump flag 1512. Thisflag 1512 may be used to indicate how much of kernel memory is availablefor inspection in case of a catastrophic system failure. Such kerneldumps may be used for postmortem debugging after such as failure. Ifsuch a flag 1512 indicates that system memory is available forinspection upon a dump then the kernel 1550 may be considered insecureas hacker could run an application which exposes protected media insystem memory and then force a catastrophic failure condition which mayresult in the system memory being available for inspection, includingthat containing the exposed media content. Thus a kernel dump flag 1512may be used in the creation and maintenance of a protected environments(FIG. 14, 1400).

FIG. 16 and FIG. 17 are flow diagrams showing an exemplary process 1404for loading kernel components to create an exemplary secure computingenvironment. This process 1404 begins after the kernel loader has beenstarted and the PE management portion of the kernel has been loaded andmade operational. Not shown in these figures, the PE management portionof the kernel may validate the kernel loader itself and/or any otherkernel elements that may have been previously loaded. Validation isusually defined as determining whether or not a given component isconsidered secure and trustworthy as illustrated in part 2 of thisprocess 1404.

The term “authorized for secure use” and the like as used below withrespect to kernel components has the following specific meaning. Akernel containing any components that are not authorized for secure usedoes not provide a secure computing environment within which protectedenvironments may operate. The opposite may not be true as it depends onother factors such as attack vectors.

1. Block 1601 shows the start of the loading process 1404 after the PEmanagement portion of the kernel has been loaded and made operational.Any component loaded in the kernel prior to this may be validated asdescribed above.

2. Block 1602 shows the kernel secure flag initially set to TRUE unlessany component loaded prior to the PE management portion of the kernel,or that component itself, is found to be insecure at which point thekernel secure flag may be set to FALSE. In practice the indication ofTRUE or FALSE may take various forms; the use of TRUE or FALSE here isonly an example and is not meant to be limiting.

3. Block 1604 indicates a check for the presence of a debugger in thecomputing environment. Alternatively a debugger could reside remotelyand be attached to the computing environment via a network or othercommunications media to a process in the computing environment. If nodebugger is detected the loading process 1404 continues at block 1610.Otherwise it continues at block 1609. Not shown in the diagram, thischeck may be performed periodically and the state of the kernel secureflag updated accordingly.

4. If a debugger is detected, block 1606 shows a check for debugcredentials which may indicate that debugging is authorized on thesystem in the presence of a protected environment. If such credentialsare not present, the kernel secure flag may be set to FALSE as shown inblock 1608. Otherwise the loading process 1404 continues at block 1610.

5. Block 1610 shows a check of the kernel dump flag. If this flagindicates that a full kernel memory dump or the like is possible thenthe kernel secure flag may be set to FALSE as shown in block 1608.Otherwise the loading process 1404 continues at block 1612. Not shown inthe diagram, this check may be performed periodically and the state ofthe kernel secure flag updated accordingly.

6. Block 1612 shows the loading of the revocation list into the kernel.In cases where the revocation list may be used to check debugcredentials, or other previously loaded credentials, signatures,certificate data, or the like, this step may take place earlier in thesequence (prior to the loading of credentials and the like to bechecked) than shown. Not shown in the diagram is that, once thiscomponent is loaded, any and all previously loaded kernel components maybe checked to see if their signature and/or certificate data has beenrevoked per the revocation list. If any have been revoked, the kernelsecure flag may be set to FALSE and the loading process 1404 continuesat block 1614. Note that a revocation list may or may not be loaded intothe kernel to be used in the creation and maintenance of a protectedenvironments.

7. Block 1614 shows the transition to part 2 of this diagram shown inFIG. 17 and continuing at block 1701.

8. Block 1702 shows a check for any additional kernel components to beloaded. If all components have been loaded then the load process 1404 isusually complete and the kernel secure flag remains in whatever state itwas last set to, either TRUE or FALSE. If there are additional kernelcomponents to be loaded the load process 1404 continues at block 1706.

9. Block 1706 shows a check for a valid signature of the next componentto be loaded. If the signature is invalid then the kernel secure flagmay be set to FALSE as shown in block 1718. Otherwise the loadingprocess 1404 continues at block 1708. If no component signature isavailable the component may be considered insecure and the kernel secureflag may be set to FALSE as shown in block 1718. Signature validity maybe determined by checking for a match on a list of valid signaturesand/or by checking whether the signer's identity is a trusted identity.As familiar to those skilled in the security technology area, othermethods could also be used to validate component signatures.

10. Block 1708 shows a check of the component's certificate data. If thecertificate data is invalid then the kernel secure flag may be set toFALSE as shown in block 1718. Otherwise the loading process 1404continues at block 1710. If no component certificate data is availablethe component may be considered insecure and the kernel secure flag maybe set to FALSE as shown in block 1718. Certificate data validity may bedetermined by checking the component's certificate data to see if thecomponent is authorized for secure use. As familiar to those skilled inthe art, other methods could also be used to validate componentcertificate data.

11. Block 1710 shows a check of the component's signature against arevocation list. If the signature is present on the list, indicatingthat it has been revoked, then the kernel secure flag may be set toFALSE as shown in block 1718. Otherwise the loading process 1404continues at block 1712.

12. Block 1712 shows a check of the component's certificate data againsta revocation. If the certificate data is present on the list, indicatingthat it has been revoked, then the kernel secure flag may be set toFALSE as shown in block 1718. Otherwise the loading process 1404continues at block 1714.

13. Block 1714 shows a check of the component's signature to determineif it is OK for use. This check may be made by inspecting thecomponent's leaf certificate data to see if the component is authorizedfor secure use. Certain attributes in the certificate data may indicateif the component is approved for protected environment usage. If not thecomponent may not be appropriately signed and the kernel secure flag maybe set to FALSE as shown in block 1718. Otherwise the loading process1404 continues at block 1716.

14. Block 1716 shows a check of the component's root certificate data.This check may be made by inspecting the component's root certificatedata to see if it is listed on a list of trusted root certificates. Ifnot the component may be considered insecure and the kernel secure flagmay be set to FALSE as shown in block 1718. Otherwise the loadingprocess 1404 continues at block 1720.

15. Block 1720 shows the loading of the component into the kernel whereit is now considered operational. Then the loading process 1404 returnsto block 1702 to check for any further components to be loaded.

FIG. 18 is a block diagram showing a secure computing environment 1000loading an application 100 into an exemplary protected environment 230to form a trusted application that may be resistant to attack. In thisexample the kernel may be the same as that described in FIG. 15, hasalready been loaded and the system 1000 is considered fully operational.At this point, as an example, a user starts media application 100. Themedia application 100 may call for the creation of a protectedenvironment 230 for one or more of its processes and/or components tooperate within. The protected environment creation process 1406 createsthe protected environment 230 and loads the application 100 and/or itscomponents as described below.

FIG. 19 is a flow diagram showing an exemplary process 1406 for creatinga protected environment and loading an application into the protectedenvironment. This process 1406 includes the initial step of creating asecure process followed by validating the software component to beloaded into it and then loading the software component into the newsecure process and making it operational. Upon success, the result maybe a software component operating in a protected environment supportedby a secure kernel. Such a software component, along with any digitalmedia content or other data it processes, may be protected from variousattacks, including those described above.

1. Block 1901 shows the start of the protected environment creationprocess 1406. This point is usually reached when some application orcode calls for a protected environment to operate.

2. Block 1902 shows the establishment of a protected environment. Whilenot shown in the diagram, this may be accomplished by requesting theoperating system to create a new secure process. Code later loaded andoperating in this secure process may be considered to be operating in aprotected environment. If the kernel secure flag is set to FALSE thenthe “create new secure process” request may fail. This may be becausethe system as a whole is considered insecure and unsuitable for aprotected environment and any application or data requiring a protectedenvironment. Alternatively, the “create new secure process” request maysucceed and the component loaded into the new process may be informedthat the system is considered insecure so that it can modify itsoperations accordingly. Otherwise the process 1406 continues at block1906.

3. Block 1906 shows a check for a valid signature of the softwarecomponent to be loaded into the new secure process or protectedenvironment. If the signature is invalid then the process 1406 may failas shown in block 1918. Otherwise the process 1406 continues at block1908. Not shown in the process is that the program, or its equivalent,creating the new secure process may also be checked for a validsignature and the like. Thus, for either the component itself and/or theprogram creating the new secure process, if no signature is availablethe component may be considered insecure and the process 1406 may failas shown in block 1918. Signature validity may be determined by checkingfor a match on a list of valid signatures and/or by checking whether thesigner's identity is a trusted identity. As familiar to those skilled inthe security technology area, other methods could also be used tovalidate component signatures.

4. Block 1908 shows a check of the software component's certificatedata. If the certificate data is invalid then the process 1406 may failas shown in block 1918. Otherwise the process 1406 continues at block1910. If no component certificate data is available the component may beconsidered insecure and the process 1406 may fail as shown in block1918. Certificate data validity may be determined by checking thecomponent's certificate data to see if the component is authorized forsecure use. As familiar to those skilled in the art, other methods couldalso be used to validate component certificate data.

Block 1910 shows a check of the component's signature against arevocation list. If the signature is present on the list, indicatingthat it has been revoked, then the process 1406 may fail as shown inblock 1918. Otherwise the process 1406 continues at block 1912.

12. Block 1912 shows a check of the component's certificate data againstthe revocation list. If the certificate data is present on the list,indicating that it has been revoked, then the process 1406 may fail asshown in block 1918. Otherwise the process 1406 continues at block 1914.

13. Block 1914 shows a check of the component's signature to determineif it is acceptable for use. This check may be made by inspecting thecomponent's leaf certificate data to see if the component is authorizedfor secure use. Certain attributes in the certificate data may indicateif the component is approved for protected environment usage. If not thecomponent may be considered to not be appropriately signed and theprocess 1406 may fail as shown in block 1918. Otherwise the process 1406continues at block 1916.

14. Block 1916 shows a check of the component's root certificate data.This check may be made by inspecting the component's root certificatedata to see if it is listed on a list of trusted root certificates. Ifnot the component may be considered insecure and the process 1406 mayfail as shown in block 1918. Otherwise the process 1406 continues atblock 1920.

15. Block 1918 shows the failure of the software component to loadfollowed by block 1930, the end of the protected environment creationprocess 1406.

16. Block 1920 shows the software component being loaded into theprotected environment, where it is considered operational, followed byblock 1930, the end of the protected environment creation process 1406.

FIG. 20 is a block diagram showing an exemplary trusted applicationutilizing an exemplary protected environment 230 periodically checking1408 the security state 1590 of the secure computing environment 1000.In this example, the computing environment 1000 and the kernel 1550 maybe the same as those described in FIG. 15 and FIG. 16. The kernel 1550has already been loaded and the computer 1000 is considered fullyoperational. Further, a protected environment has been created and theappropriate components of the trusted application have been loaded intoit and made operational, establishing a trusted application utilizing aprotected environment 230, hereafter referred to simply as the“protected environment”.

The protected environment 230 may periodically check with the PEmanagement portion of the kernel 1552 to determine whether the kernel1550 remains secure over time. This periodic check may be performedbecause it is possible for a new component to be loaded into the kernel1550 at any time, including a component that may be considered insecure.If this were to occur, the state of the kernel secure flag 1590 maychange to FALSE and the code operating in the protected environment 230has the opportunity to respond appropriately.

For example, consider a media player application that was started on aPC 1000 with a secure kernel 1550 and a portion of the media playerapplication operating in a protected environment 230 processing digitalmedia content that is licensed only for secure use. In this example, ifa new kernel component that is considered insecure is loaded while themedia player application is processing the media content, then the checkkernel secure state process 1040 would note the kernel secure flag 1590has changed to FALSE indicating the kernel 1550 may no longer be secure.

Alternatively, the revocation list 1545 may be updated and a kernelcomponent previously considered secure may no longer be consideredsecure, resulting in the kernel secure flag 1590 being set to FALSE. Atthis point the application may receive notification that the system 1000is no longer considered secure and can terminate operation, or takeother appropriate action to protect itself and/or the media content itis processing.

FIG. 21 is a flow diagram showing an exemplary process 1408 forperiodically checking the security state of the secure computingenvironment. This process 1408 may be used by a protected environment230 to determine if the kernel remains secure over time. The protectedenvironment 230 may periodically use this process 1408 to check thecurrent security status of the kernel. The protected environment 230and/or the software component operating within it may use the currentsecurity status information to modify its operation appropriately.Periodic activation of the process may be implemented using conventionaltechniques.

The diagram in FIG. 21 shows a sequence of communications 1408,illustrated with exemplary pseudo code, between the protectedenvironment 230 and the PE management portion of the kernel 1552. Thiscommunication may include a check of the version of a revocation listwhich may give an application the ability to specify a revocation listof at least a certain version. This communications sequence may becryptographically secured using conventional techniques.

1. The protected environment 230 makes a IsKernelSecure(MinRLVer) call2120 to the PE management portion of the kernel to query the currentsecurity state of the kernel. Included in this call 2120 may be theminimum version (MinRLVer) of the revocation list expected to beutilized.

2. The PE management portion of the kernel checks to see if theprotected environment, which is the calling process, is secure. If not,then it may provide a Return(SecureFlag=FALSE) indication 2122 to theprotected environment and the communications sequence 1408 is complete.This security check may be done by the PE management portion of thekernel checking the protected environment for a valid signature and/orcertificate data as described above.

3. Otherwise, the PE management portion of the kernel checks the kernelsecure flag in response to the call 2120. If the state of the flag isFALSE then it may provide a Return(SecureFlag=FALSE) indication 2124 tothe protected environment and the communications sequence 1408 iscomplete.

4. Otherwise, the PE management portion of the kernel checks therevocation list version information for the revocation list. If therevocation list has version information that is older than thatrequested in the IsKernelSecure(MinRLVer) call 2120 then several optionsare possible. First, as indicated in the diagram, the PE managementportion of the kernel may provide a Return(SecureFlag=FALSE) indication2126 to the protected environment and the communications sequence 1408is complete.

Alternatively, and not shown in the diagram, an appropriate versionrevocation list may be located and utilized, all kernel components maybe re-validated using this new or updated list, the kernel secure flagupdated as appropriate and the previous step #3 of this communicationssequence 1408 repeated.

5. Otherwise, the PE management portion of the kernel may provide aReturn(SecureFlag=TRUE) indication 2128 to the protected environment andthe communications sequence 1408 is complete.

FIG. 22 is a block diagram showing an exemplary computing environment800 including a representation of a protected environment 230, a trustedmedia system 200, and other related elements. Exemplary personalcomputer 800 is similar to that shown in FIG. 8 with the addition ofkernel components 1520-1530 that may be stored on the disk 810 alongwith the other operating system code and the like. Media application 100and/or a digital rights management system 1004 may be stored on the disk810 along with other application programs. These components 1520-1530and applications 100, 1004 may be loaded into system memory 809 andconsidered operational. Shown loaded in system memory 809 is a trustedapplication 200 utilizing a protected environment 230 and media content110.

1. A computing device comprising: a processor; memory coupled to theprocessor; a protected media pipeline implemented at least in part bythe processor and the memory, the protected media pipeline configured toprocess digital media, the protected media pipeline comprising: a mediasource coupled to a first secure connection over which the digital mediais received via the media source into the protected media pipeline; anda media sink coupled to a second secure connection over which processeddigital media is transferred via the media sink out of the protectedmedia pipeline.
 2. The computing device of claim 1 coupled to aprotected input via the first secure connection and via which thedigital media is initially received into the computing device, where theprotected input is configured to limit unauthorized access to thedigital media.
 3. The computing device of claim 1 coupled to a protectedoutput via the second secure connection and via which the processeddigital media is transferred from the computing device, where theprotected output is configured to limit unauthorized access to theprocessed digital media.
 4. The computing device of claim 1 where thefirst secure connection is configured to limit unauthorized access tothe digital media.
 5. The computing device of claim 1 where the secondsecure connection is configured to limit unauthorized access to theprocessed digital media.
 6. The computing device of claim 1, theprotected media pipeline further comprising a protected space thatincludes at least one transform mechanism that is configured totransform the digital media, where the protected space is configured tolimit unauthorized access to the digital media and the processed digitalmedia.
 7. The computing device of claim 1, where the protected mediapipeline is configured to limit unauthorized access to the digital mediaand the processed digital media.
 8. A method performed on a computingdevice that comprises a processor, memory, and a protected mediapipeline that is configured to process digital media, the methodcomprising: receiving, by a media source over a first secure connectioninto the protected media pipeline, the digital media, where the mediasource is a component of the protected media pipeline; transferring, bya media sink over a second secure connection out of the protected mediapipeline, processed digital media, where the media sink is a componentof the protected media pipeline.
 9. The method of claim 9, the receivingbased on the computing device being coupled to a protected input via thefirst secure connection and via which the digital media is initiallyreceived into the computing device, where the protected input isconfigured to limit unauthorized access to the digital media.
 10. Themethod of claim 9, the transferring based on the computing device beingcoupled to a protected output via the second secure connection and viawhich the processed digital media is transferred from the computingdevice, where the protected output is configured to limit unauthorizedaccess to the processed digital media.
 11. The method of claim 9 wherethe first secure connection is configured to limit unauthorized accessto the digital media.
 12. The method of claim 9 where the second secureconnection is configured to limit unauthorized access to the processeddigital media.
 13. The method of claim 9 further comprisingtransforming, by at least one transform mechanism, the digital media,where the at least one transform mechanism is a component of a protectedspace of the protected media pipeline, where the protected space isconfigured to limit unauthorized access to the digital media and theprocessed digital media.
 14. The method of claim 9, where the protectedmedia pipeline is configured to limit unauthorized access to the digitalmedia and the processed digital media.
 15. At least on computer-readablemedia that comprises: memory that includes computer-executableinstructions that, based on execution by a computing device thatcomprises a protected media pipeline that is configured to processdigital media, configure the computing device to perform actionscomprising: receiving, via a media source over a first secure connectioninto the protected media pipeline, the digital media, where the mediasource is a component of the protected media pipeline; transferring, viaa media sink over a second secure connection out of the protected mediapipeline, processed digital media, where the media sink is a componentof the protected media pipeline.
 16. The at least on computer-readablemedia of claim 15, the receiving based on the computing device beingcoupled to a protected input via the first secure connection and viawhich the digital media is initially received into the computing device,where the protected input is configured to limit unauthorized access tothe digital media.
 17. The at least on computer-readable media of claim15, the transferring based on the computing device being coupled to aprotected output via the second secure connection and via which theprocessed digital media is transferred from the computing device, wherethe protected output is configured to limit unauthorized access to theprocessed digital media.
 18. The at least on computer-readable media ofclaim 15 where the first secure connection is configured to limitunauthorized access to the digital media, or where the second secureconnection is configured to limit unauthorized access to the processeddigital media.
 19. The at least on computer-readable media of claim 15,the actions further comprising transforming, by at least one transformmechanism, the digital media, where the at least one transform mechanismis a component of a protected space of the protected media pipeline,where the protected space is configured to limit unauthorized access tothe digital media and the processed digital media.
 20. The at least oncomputer-readable media of claim 15, where the protected media pipelineis configured to limit unauthorized access to the digital media and theprocessed digital media.